alexander/lenovo-gentoo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Add backup and security hardening

Browse Source
This commit is contained in:
Alexander Hinrichs
2025-11-08 00:28:17 +01:00
parent 8de3f16ee6
commit 96f521a474
23 changed files with 5696 additions and 939 deletions
Download Patch File Download Diff File Expand all files Collapse all files

722
Security-Hardening.md Normal file
View File

@@ -0,0 +1,722 @@
# Security Hardening Guide
Complete guide for hardening the Gentoo workstation with firewall, intrusion
prevention, and SSH security.
## Overview
This guide covers comprehensive security hardening for a single-user Gentoo
development workstation with a focus on practical security without
over-engineering.
## Table of Contents
- [Security Philosophy](#security-philosophy)
- [Threat Model](#threat-model)
- [Components](#components)
- [Installation](#installation)
- [Firewall Configuration](#firewall-configuration)
- [Intrusion Prevention](#intrusion-prevention)
- [SSH Hardening](#ssh-hardening)
- [Additional Security](#additional-security)
- [Monitoring](#monitoring)
- [Troubleshooting](#troubleshooting)
## Security Philosophy
**Pragmatic security approach**:
1. **Defense in Depth**: Multiple layers of security
2. **Minimal Attack Surface**: Only expose what's necessary
3. **Fail Securely**: Default deny policies
4. **Logging and Monitoring**: Track security events
5. **Maintainability**: Keep it simple and documented
## Threat Model
### Primary Threats
1. **Network attacks**: Port scanning, brute force, exploits
2. **SSH brute force**: Automated login attempts
3. **Malware**: Trojans, backdoors from compromised packages
4. **Physical access**: Limited concern (personal workstation)
### Out of Scope
- Advanced persistent threats (APTs)
- Nation-state actors
- Physical security (trusted environment)
- Multi-user system hardening (single user)
## Components
### 1. nftables Firewall
Modern Linux firewall with:
- Default deny incoming policy
- Allow established connections
- Rate limiting for services
- Connection tracking
- Docker support
### 2. fail2ban
Intrusion prevention system that:
- Monitors SSH login attempts
- Automatically bans malicious IPs
- Integrates with nftables
- Configurable ban times and thresholds
### 3. SSH Hardening
Secure SSH configuration:
- Modern ciphers only
- Key-based authentication
- No root login
- Connection limits
- Logging and monitoring
## Installation
### Prerequisites
```bash
# Install required packages
emerge -av net-firewall/nftables
emerge -av net-analyzer/fail2ban
emerge -av net-misc/openssh
# Ensure SSH is configured and working
rc-service sshd status
```
### Install Security Components
```bash
cd ~/repository/git.hinrichs.dev/alexander/claude/lenovo-gentoo/scripts/security-setup
sudo ./INSTALL.sh
```
**⚠️ CRITICAL**: Keep your current SSH session open until you verify everything
works!
### Installation Steps
The script will:
1. ✅ Install nftables firewall configuration
2. ✅ Install fail2ban jail configuration
3. ✅ Install SSH hardening configuration
4. ✅ Backup all existing configs
5. ✅ Enable services in OpenRC
## Firewall Configuration
### Overview
The nftables firewall uses a default deny policy with explicit allow rules.
**Location**: `/etc/nftables.conf`
### Default Rules
```
INPUT chain (incoming):
- DROP everything by default
- ACCEPT established/related connections
- ACCEPT loopback traffic
- ACCEPT ICMP (rate limited)
- ACCEPT SSH (rate limited, LAN only)
- ACCEPT mDNS (local network discovery)
FORWARD chain:
- DROP everything by default
- ACCEPT established/related (for Docker if needed)
OUTPUT chain:
- ACCEPT everything (workstation outgoing)
```
### Key Features
#### 1. SSH Rate Limiting
Prevents brute force attacks:
```nft
# Max 3 SSH connections per minute per IP
tcp dport 22 ct state new \
add @ratelimit_ssh { ip saddr limit rate 3/minute } accept
```
#### 2. ICMP Rate Limiting
Prevents ping floods:
```nft
# Max 5 pings per second
ip protocol icmp icmp type echo-request limit rate 5/second accept
```
#### 3. Connection Tracking
Tracks connection state for efficient filtering:
```nft
# Allow responses to outgoing connections
ct state established,related accept
# Drop invalid packets
ct state invalid drop
```
### Testing Firewall
```bash
# Test configuration syntax
sudo nft -f /etc/nftables.conf
# View current rules
sudo nft list ruleset
# Start firewall
sudo rc-service nftables start
# Check status
sudo rc-service nftables status
```
### Enable at Boot
```bash
sudo rc-update add nftables default
```
### Customization
#### Allow Additional Ports
Edit `/etc/nftables.conf` and add rules in the `input` chain:
```nft
# Allow HTTP/HTTPS
tcp dport { 80, 443 } accept
# Allow custom application
tcp dport 8080 accept
```
#### Docker Integration
Uncomment Docker rules if using Docker:
```nft
# In forward chain:
iifname "docker0" accept
oifname "docker0" accept
# In nat table:
oifname $lan_interface masquerade
```
#### Block Specific IPs
```nft
# At top of input chain:
ip saddr 1.2.3.4 drop
ip saddr 5.6.7.0/24 drop
```
## Intrusion Prevention
### fail2ban Overview
fail2ban monitors log files and bans IPs with malicious behavior.
**Location**: `/etc/fail2ban/jail.local`
### Default Configuration
```ini
[DEFAULT]
bantime = 1h # Ban duration
findtime = 10m # Time window for maxretry
maxretry = 3 # Failed attempts before ban
[sshd]
enabled = true
port = ssh
maxretry = 3
bantime = 1h
```
### Starting fail2ban
```bash
# Start service
sudo rc-service fail2ban start
# Check status
sudo fail2ban-client status
# Check SSH jail
sudo fail2ban-client status sshd
# Enable at boot
sudo rc-update add fail2ban default
```
### Monitoring
```bash
# View banned IPs
sudo fail2ban-client status sshd
# Unban an IP
sudo fail2ban-client set sshd unbanip 1.2.3.4
# View fail2ban log
sudo tail -f /var/log/fail2ban.log
```
### Customization
#### Adjust Ban Times
Edit `/etc/fail2ban/jail.local`:
```ini
[sshd]
maxretry = 5 # More lenient
bantime = 24h # Longer ban
findtime = 1h # Longer time window
```
#### Add Email Notifications
```ini
[DEFAULT]
destemail = your.email@example.com
sendername = Fail2Ban
action = %(action_mwl)s # Mail with logs
```
#### Whitelist IPs
```ini
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1
192.168.1.0/24
10.0.0.0/8
```
## SSH Hardening
### Overview
Hardened SSH configuration with modern ciphers and security best practices.
**Location**: `/etc/ssh/sshd_config.d/hardening.conf`
### Key Security Features
#### 1. Modern Cryptography
```
# Strong key exchange algorithms
KexAlgorithms curve25519-sha256,diffie-hellman-group-exchange-sha256
# Strong ciphers
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
# Strong MACs
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
```
#### 2. Authentication Security
```
PermitRootLogin no # No root login
PasswordAuthentication no # Keys only
MaxAuthTries 3 # Limit attempts
LoginGraceTime 30 # Quick timeout
```
#### 3. Connection Limits
```
MaxSessions 5 # Max concurrent sessions
ClientAliveInterval 300 # 5 min keepalive
ClientAliveCountMax 2 # 2 missed keepalives = disconnect
```
#### 4. Disable Insecure Features
```
X11Forwarding no # No X11
PermitUserEnvironment no # No env manipulation
HostbasedAuthentication no # No host-based auth
IgnoreRhosts yes # Ignore .rhosts
```
### Testing SSH Configuration
```bash
# Test configuration syntax
sudo sshd -t
# Test connection (from another terminal)
ssh alexander@localhost
# View active SSH sessions
who
# View SSH logs
sudo tail -f /var/log/auth.log
```
### Apply SSH Changes
```bash
# Restart SSH service
sudo rc-service sshd restart
# Or reload configuration
sudo kill -HUP $(cat /var/run/sshd.pid)
```
### SSH Key Setup
If not already using SSH keys:
```bash
# Generate ED25519 key (modern, secure)
ssh-keygen -t ed25519 -C "alexander@lenovo-gentoo"
# Or RSA 4096 (wider compatibility)
ssh-keygen -t rsa -b 4096 -C "alexander@lenovo-gentoo"
# Copy to remote host
ssh-copy-id user@remote-host
# Test key-based login
ssh user@remote-host
```
## Additional Security
### 1. System Updates
Keep system updated:
```bash
# Update package database
emerge --sync
# Check for updates
emerge -uDNp @world
# Install updates
emerge -uDN @world
# Check for security advisories
glsa-check -l
```
### 2. Audit Logging
Enable system auditing:
```bash
# Install audit daemon
emerge -av sys-process/audit
# Enable service
rc-update add auditd default
rc-service auditd start
# View audit logs
ausearch -m avc
```
### 3. File Integrity Monitoring
Use AIDE for file integrity:
```bash
# Install AIDE
emerge -av app-forensics/aide
# Initialize database
aide --init
# Check for changes
aide --check
```
### 4. Kernel Hardening
Enable kernel security features in `/etc/sysctl.conf`:
```conf
# Prevent IP spoofing
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# Ignore source routed packets
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
# Enable SYN cookies
net.ipv4.tcp_syncookies = 1
# Log martian packets
net.ipv4.conf.all.log_martians = 1
# Disable IPv6 if not needed
# net.ipv6.conf.all.disable_ipv6 = 1
```
Apply changes:
```bash
sudo sysctl -p
```
### 5. Automatic Updates (Optional)
**Note**: Not recommended for Gentoo due to compilation time and potential
breakage. Manual updates preferred.
## Monitoring
### Security Event Monitoring
#### 1. Check SSH Login Attempts
```bash
# Recent successful logins
last -10
# Failed login attempts
sudo grep "Failed password" /var/log/auth.log | tail -20
# All SSH activity today
sudo grep "$(date +%b\ %d)" /var/log/auth.log | grep sshd
```
#### 2. Check Firewall Drops
```bash
# View dropped packets in dmesg
sudo dmesg | grep "nftables-drop"
# View nftables statistics
sudo nft list ruleset -a
```
#### 3. Check fail2ban Bans
```bash
# Current bans
sudo fail2ban-client status sshd
# Ban history
sudo zgrep "Ban " /var/log/fail2ban.log*
```
#### 4. Check Open Ports
```bash
# Listening ports
sudo ss -tlnp
# Or with netstat
sudo netstat -tlnp
```
### Automated Monitoring Script
Create `~/bin/security-check`:
```bash
#!/bin/sh
# Daily security check script
echo "Security Status Report - $(date)"
echo "======================================"
echo ""
echo "SSH Failed Logins (last 24h):"
sudo grep "Failed password" /var/log/auth.log | \
grep "$(date +%b\ %d)" | wc -l
echo ""
echo "fail2ban Banned IPs:"
sudo fail2ban-client status sshd | grep "Banned IP list"
echo ""
echo "Open Ports:"
sudo ss -tlnp | grep LISTEN
echo ""
echo "Firewall Status:"
sudo rc-service nftables status
echo ""
echo "Last 5 Logins:"
last -5
```
Make executable:
```bash
chmod +x ~/bin/security-check
```
Run daily:
```bash
# Add to crontab
crontab -e
# Daily at 9 AM
0 9 * * * ~/bin/security-check | mail -s "Security Report" root
```
## Troubleshooting
### Firewall Blocks Legitimate Traffic
**Problem**: Cannot access services after enabling firewall
**Solution**: Add rules for required services
```bash
# Temporarily stop firewall for testing
sudo rc-service nftables stop
# Test service
# If it works, firewall is blocking it
# Add rule to /etc/nftables.conf
# Restart firewall
sudo rc-service nftables start
```
### Locked Out of SSH
**Problem**: Cannot SSH after hardening
**⚠️ Prevention**: Always keep a session open when testing SSH changes!
**Solution** (requires physical/console access):
```bash
# Via console/physical access
sudo rc-service sshd stop
# Restore backup
sudo cp /etc/ssh/sshd_config.backup.* /etc/ssh/sshd_config
# Start SSH
sudo rc-service sshd start
```
### fail2ban Not Banning
**Problem**: fail2ban doesn't ban attackers
**Check logs**:
```bash
sudo tail -f /var/log/fail2ban.log
```
**Common issues**:
1. Wrong log path in jail.local:
```bash
# Find SSH log location
grep "sshd" /var/log/* 2>/dev/null
```
2. Regex doesn't match log format:
```bash
# Test regex
sudo fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
```
3. Service not running:
```bash
sudo rc-service fail2ban restart
```
### False Positives
**Problem**: Legitimate IPs getting banned
**Solution**: Add to whitelist in `/etc/fail2ban/jail.local`:
```ini
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1
192.168.2.0/24
10.0.0.0/8
```
### Performance Issues
**Problem**: Firewall causing lag
**Check rules**:
```bash
# Count rules
sudo nft list ruleset | grep -c "rule"
# Check for expensive operations
sudo nft list ruleset -a
```
**Solution**: Optimize rules, reduce logging
## Security Checklist
Daily/Weekly tasks:
- [ ] Check SSH login attempts
- [ ] Review fail2ban bans
- [ ] Check firewall logs
- [ ] Verify services are running
- [ ] Review open ports
Monthly tasks:
- [ ] Update system packages
- [ ] Review firewall rules
- [ ] Check for security advisories
- [ ] Review user accounts
- [ ] Test backup restoration
- [ ] Review logs for anomalies
## Best Practices
1. **Keep Software Updated**: Regular updates prevent exploits
2. **Minimal Services**: Only run what you need
3. **Strong Authentication**: Use keys, not passwords
4. **Monitor Logs**: Regular log review catches issues early
5. **Test Changes**: Always test in safe environment
6. **Document Everything**: Keep notes on configuration changes
7. **Backup Configs**: Before making changes
8. **Defense in Depth**: Multiple security layers
9. **Principle of Least Privilege**: Minimal permissions needed
10. **Stay Informed**: Follow security news and advisories
## See Also
- [Backup-Setup.md](Backup-Setup.md) - Backup system guide
- [USER-GUIDE.md](USER-GUIDE.md) - Quick reference guide
- [CLAUDE.md](CLAUDE.md) - System overview
- `/etc/nftables.conf` - Firewall configuration
- `/etc/fail2ban/jail.local` - fail2ban configuration
- `/etc/ssh/sshd_config.d/hardening.conf` - SSH hardening